Privacy Policy

This Privacy Policy applies to the KMT Pilot platform (kmt-pilot-seo.vercel.app), operated by KMT Development, based in Lyon, France.

KMT Pilot is a B2B SaaS platform used by our team and by our professional clients (SMEs) to manage their business: SEO content generation, Google Business profile management, sales prospecting, public tender monitoring, LinkedIn publishing, customer reviews, traffic analytics and various automations.

Each professional client remains responsible for the data they connect to the platform (Google, LinkedIn, websites). KMT Development acts as a data processor under GDPR when handling client data, and as a data controller for data strictly related to platform operations.

Account data: email, name, hashed password, linked organization, role.

Business data: company contact info, website, registration number, third-party integration identifiers (Google Analytics property ID, LinkedIn URN, etc.).

Data from authorized third-party APIs: Google Analytics statistics, Search Console data, Google Business listing content, scheduled or published LinkedIn posts, engagement metrics, AI-generated content.

Technical data: server logs (anonymized IP addresses, timestamps), user agent, Vercel performance metrics.

We do not collect any sensitive data as defined by Article 9 of the GDPR.

KMT Pilot uses Google APIs to help clients manage their online presence. Each connection is explicit: the client grants the scopes below through standard OAuth 2.0 consent and can revoke access at any time from https://myaccount.google.com/permissions.

• Google Analytics Data API (GA4) — analytics.readonly: read traffic metrics (sessions, users, page views, traffic source) to display in the client's dashboard.
• Google Search Console API — webmasters.readonly: read search queries, impressions and organic clicks for SEO reports.
• Google Business Profile API — business.manage: display and update the client's Google Business listing (info, photos, posts, review replies) only at their explicit request.
• Google Ads API — adwords: read campaign performance to aggregate it in the dashboard.
• Gmail API — restricted to send (gmail.send) and drafts: send prospecting emails written by the user via KMT Pilot, only on behalf of the connected account.
• Google Drive API — drive.file: only files explicitly imported by the client into KMT Pilot. No general Drive access.
• Google Calendar API — calendar.events: create client appointments when the booking portal is enabled.

Google API Services User Data Policy compliance.KMT Pilot complies with Google's Limited Use Policy. Data obtained through Google APIs is never sold, never used for targeted advertising, never used to train AI models, and never accessed by humans except for support requested by the client themselves or to meet legal obligations.

KMT Pilot integrates the LinkedIn API to allow our clients to publish posts from their personal profile or Company Page without having to log into LinkedIn manually each time. The client grants the scopes below through standard LinkedIn OAuth 2.0 consent.

• openid, profile, email: user identification (Sign In with LinkedIn using OpenID Connect). This only lets us know which LinkedIn account is linked to which KMT Pilot organization.
• w_member_social: publish a post on behalf of the connected personal profile. KMT Pilot never publishes without an explicit client action (click on Publish, or Schedule for a date chosen by the client).
• r_organization_admin: list the Company Pages where the user is admin, so they can pick the target page.
• w_organization_social: publish a post on a Company Page the user administers, only at their explicit request.

Stored data: access token (encrypted at rest), LinkedIn URN, display name, profile picture, token expiration date, refresh token. No background reads of the feed. Tokens are deleted immediately on voluntary disconnect or contract termination.

Revocation: the client can revoke access at any time from www.linkedin.com/psettings/permitted-services or via the "Disconnect" button inside their KMT Pilot dashboard.

KMT Pilot offers AI-powered drafting (SEO articles, LinkedIn posts, prospecting emails, Google Business descriptions) powered by the OpenAI API (GPT-4o-mini or equivalent).

Data sent to OpenAI:the topic typed by the client, the desired tone and format, and a short excerpt of the organization's public context (name, website, brief public description). No third-party personal data, no Google or LinkedIn credentials, no access tokens are ever sent to OpenAI.

Per OpenAI's enterprise API terms, data sent through the API is not used to train modelsand is deleted after 30 days on OpenAI's side (retention for abuse detection only).

User data is stored on Supabase (managed PostgreSQL, eu-west-1 region, Ireland). Communication between KMT Pilot and Supabase is TLS-encrypted. Sensitive tables (OAuth tokens, user accounts) are protected by Row Level Security and only accessible via the server-side service key.

The application is hosted on Vercel Inc. (United States). Static files and server functions do not persist personal data.

Transfers outside the EU: Vercel and OpenAI are US companies. Transfers are covered by the European Commission Standard Contractual Clauses and by EU-US Data Privacy Framework certifications when available.

• Contract performance (GDPR art. 6.1.b): user account, organization business data, authorized API integrations.
• Legitimate interest (art. 6.1.f): security logs, fraud prevention, service improvement.
• Consent (art. 6.1.a): connecting a third-party API (Google, LinkedIn). Consent can be withdrawn at any time via revocation on the third-party platform and on KMT Pilot.

User account data is kept for the duration of the contract, then archived for 12 months after termination (accounting and tax obligations), then deleted.

Google and LinkedIn OAuth tokens are deleted immediately upon voluntary disconnect or contract termination. Technical logs are kept for 12 months.

Under GDPR, you have the following rights regarding your data:

• Right of access
• Right to rectification
• Right to erasure (right to be forgotten)
• Right to restriction of processing
• Right to data portability
• Right to object
• Right to withdraw consent at any time
• Right to lodge a complaint with the French DPA (CNIL, www.cnil.fr)

To exercise these rights, contact contact@kmtdevelopment.com. We will respond within 30 days.

KMT Pilot uses no advertising cookies or third-party trackers. Only strictly necessary functional cookies are set: session cookie (authentication), theme preference, admin impersonation state. These do not require prior consent under the ePrivacy directive.

All communication with KMT Pilot is HTTPS-encrypted (TLS 1.3). Passwords are hashed (bcrypt). Supabase tables containing OAuth tokens or sensitive information are protected by Row Level Security and only accessible via authenticated server-side routes. No external team has read access to client data. Our infrastructure undergoes regular security audits.

For any question regarding this policy or to exercise your rights: contact@kmtdevelopment.com.
KMT Development, Lyon, France.